Darknet sites compromised and taken offline following arrest

A man suspected of running the most popular hosting service underpinning the darknet has been arrested in Ireland.

According to media reports, Eric Eoin Marques is currently being held in Ireland on an extradition request by the FBI, relating to four charges to alleged child pornography offences.

The websites he managed offered a high degree of anonymity to users and server administrators than other sites on the public web, as they were accessible only via the Tor routing service.

His arrest on Saturday coincided with mass outages affecting popular services such as Tor Mail, HackBB and the Hidden Wiki that are run on Freedom Hosting, a company largely suspected to be operated by Marques.

Prior to Marques arrest, a new JavaScript exploit (posted to Pastebin) targeting Mozilla FireFox version 17 – the same version bundled with the Tor client – appeared on some Freedom Hosting darknet sites including Tormail.

The exploit, under investigation by Reddit usersTor developers, and Mozilla, appeared only to attempt to reveal the identities of Tor users visiting Freedom Hosting sites by way of an iframe script that quietly generated a universally unique identifier and redirected users to a Verizon Business IP address located near Washington DC.

The discovery of the exploit days before Marques' arrest fuelled suspicions that the attack was orchestrated by US authorities in a bid to identify users of Freedom Host child pornography sites.

One of the earliest accounts of the exploit came from an administrator of the infamous 4Pedo forum who warned users that 'unknown JavaScript' had been inserted across Freedom Hosting darknet sites including popular email service Tormail.

The exploit targeted FireFox vulnerability (MFSA 2013-53) that was patched in the latest versions of Firefox including Firefox Extended Support, Mozilla security lead Daniel Veditz confirmed.

"Since this attack was found on Tor hidden services presumably that is because the Tor Browser Bundle is based on Firefox ESR-17. Users running the most recent TBB have all the fixes that were applied to Firefox ESR 17.0.7 and were also not at risk from this attack," he said.

While Tor developers continue to work on ways to protect their users, developer Jacob Applebaum said users should disable JavaScript, which is enabled by default for usability purposes.

A statement by the Tor project said that it had been notified that a large number of hidden service addresses had disappeared from the Tor network on Saturday. “There are a variety of rumours about a hosting company for hidden services that it is suddenly offline, has been breached, or attackers have placed a JavaScript exploit on their website,” it said.

Freedom Hosting was the most popular hosting service on the Tor network. It came under the public spotlight in 2011 after vigilantes aligned with the Anonymous collective warned the service to remove child abuse images residing on its servers.

Sign up to our newsletters